31 July 2009

Defending Information Assets by Reducing the Attack Surface

The best way to protect an Information Asset is to reduce its attack surface. And that should always be the first line of defense. We should also implement appropriate security controls to avoid any attacks on the residual risk and to mitigate the amount of damages.

The first and most important step in reducing the attack surface is to identify the Weakness / Vulnerabilities on an Information Asset.

Steps in Identifying the Vulnerabilities include:

1. Identifying vulnerabilities in the Application

2. Identifying vulnerabilities in the Host

3. Identifying vulnerabilities in the Network

Once the vulnerabilities are identified, the next step would be reducing the attack surface.

There are many ways to reduce the attack surface of an information asset including but not limited to:

1. Limit access to the Information Assets.

2. Limit Privileges (Enforce Least Privilege policies)

3. Reduce number of services installed on the device (Remove or shutdown unwanted services)

4. Limit the number of communication Protocols

A Narrowed Attack Surface will reduce the likelihood of an attack and mitigates the extent of damage even if an attack occurs.

Access to an Information Asset can be limited by enforcing strong access control methods. Access to an Information Asset can also be limited by reducing the entry points (console access, ports etc.,). Unwanted ports and protocols should be disabled on all information systems. Critical Applications should only be installed on a dedicated systems and all unwanted ports, services should also be disabled.

I will be discussingvarious methods we can follow to identify vulnerabilities and to reduce the Attack Surface in Applications, Hosts and Networks in the next 3 posts.

Part 1: Identify and Reduce Attack Surface in Applications

Part 2: Identify and Reduce Attack Surface in Host

Part 3: Identify and Reduce Attack Surface inNetwork

Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".

Comments

Defending Information Assets by Reducing the Attack Surface

The best way to protect an Information Asset is to reduce its attack surface. And that should always be the first line of defense. We should also implement appropriate security controls to avoid any attacks on the residual risk and to mitigate the amount of damages.

The first and most important step in reducing the attack surface is to identify the Weakness / Vulnerabilities on an Information Asset.

Steps in Identifying the Vulnerabilities include:

1. Identifying vulnerabilities in the Application

2. Identifying vulnerabilities in the Host

3. Identifying vulnerabilities in the Network

Once the vulnerabilities are identified, the next step would be reducing the attack surface.

There are many ways to reduce the attack surface of an information asset including but not limited to:

1. Limit access to the Information Assets.

2. Limit Privileges (Enforce Least Privilege policies)

3. Reduce number of services installed on the device (Remove or shutdown unwanted services)

4. Limit the number of communication Protocols

A Narrowed Attack Surface will reduce the likelihood of an attack and mitigates the extent of damage even if an attack occurs.

Access to an Information Asset can be limited by enforcing strong access control methods. Access to an Information Asset can also be limited by reducing the entry points (console access, ports etc.,). Unwanted ports and protocols should be disabled on all information systems. Critical Applications should only be installed on a dedicated systems and all unwanted ports, services should also be disabled.

I will be discussingvarious methods we can follow to identify vulnerabilities and to reduce the Attack Surface in Applications, Hosts and Networks in the next 3 posts.

Part 1: Identify and Reduce Attack Surface in Applications

Part 2: Identify and Reduce Attack Surface in Host

Part 3: Identify and Reduce Attack Surface inNetwork

Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org